CSF and Country Blocking

S

SlapHappy

Member
Jul 8, 2014
18
1
53
cPanel Access Level
Reseller Owner
We have a vps (WHM) running CSF that is currently blocking China via the Country Block option. Unfortunately we have clients that now have regular contact with China based suppliers and it appears the country block is stopping legitimate emails being received.

Is there a way to allow specific domains/ip's to bypass the CSF country block?
 
keat63

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
If you know the IP's of the customers, then whitelisting these (adding to the allow list) should work.
I've considered having only port 25 pen to china, but not yet figured out how I can do this easily.
 
  • Like
Reactions: kadrin
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
Specific IP's in the whitelist should take precedence over the country blocking as far as I am aware.

@keat63 have you looked at the following?:


Code: 
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""

# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""
 
S

SlapHappy

Member
Jul 8, 2014
18
1
53
cPanel Access Level
Reseller Owner
White-listing IP's has worked in the past for some cases, but lately it has been been hit and miss. We white-list every IP we can see related to the incoming message but it still never arrives. My guess is that maybe the IP addresses are obfuscated in some fashion.

With clients getting restless we removed CN from the country block list for now
 
keat63

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
This feature I can't get my head around.
Rather than blocking a small handful of countries, this feature sounds like you block everything and then allow only the countries you want.
Sort of the opposite ??

I'm currently toying with

CC_DENY_PORTS
I added CN.

Then in CC_DENY_PORTS_TCP
I added 20,21,53,80,443,2077,2078,2086,2095,2096

Although I'm sure there are many ports I'm missing.
 
Last edited:
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
IT is a bit of the opposite but seemed like the only way to do what was requested using CC blocking. CSF may have some more detailed uses for this or a way to implement what is being requested on their forums as well.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J Excessive resource usage and csf default install Security 3
S SOLVED CSF country block but allow DNS Security 5
J csf not show country Security 3
C how to prevent any IP of indian country being blocked in CSF firwall Security 1
konrath How to block a country in CSF? Security 1
Similar threads
Excessive resource usage and csf default install
SOLVED CSF country block but allow DNS
csf not show country
how to prevent any IP of indian country being blocked in CSF firwall
How to block a country in CSF?
Top Bottom